Category Archives: Google Project Zero

uTorrent vulnerabilities allow information disclosure and remote code execution

Posted on by

A BitTorrent client with more than 100 million users suffered numerous critical vulnerabilities including remote code execution and copying downloaded files, according to new information from Google’s Project Zero. Users were left exposed for several hours on Tuesday when the bug was public and a new security patch didn’t quite work. A new and effective patch was delivered Tuesday night. Google security researcher Tavis Ormandy informed BitTorrent Inc. of the issues with the uTorrent client in December 2017. A patch was made public early Tuesday but Ormandy says that, after a small tweak, his exploits continued to work in the default configuration. “This issue is still exploitable,” Ormandy explained. “The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway. I see no other option for affected users but to stop using uTorrent Web and contact BitTorrent and request a comprehensive patch.” On late Tuesday night, BitTorrent Inc.’s […]

The post uTorrent vulnerabilities allow information disclosure and remote code execution appeared first on Cyberscoop.

Continue reading uTorrent vulnerabilities allow information disclosure and remote code execution

Bug in Grammarly browser extension exposes virtually everything a user ever writes

Posted on by

The Grammarly browser extension, which has about 22 million users, exposes its authentication tokens to all websites, allowing any to access all the user’s data without permission, according to a bug report from Google Project Zero’s Tavis Ormandy. The high-severity bug was discovered on Friday and fixed early Monday morning, “a really impressive response time,” Ormandy wrote. Grammarly, launched in 2009 by Ukrainian developers, looks at all messages, documents and social media posts and attempts to clean up errors so the user is left with the clearest English possible. The browser extension has access to virtually everything a user types, and therefore an attacker could access a huge trove of private data. Exploitation is as simple as a couple of console commands granting full access to everything, as Ormandy explained. It’s not clear if the vulnerability was ever exploited. Grammarly has not responded to a request for comment. The vulnerability affected Chrome and Firefox. Updates are now available for […]

The post Bug in Grammarly browser extension exposes virtually everything a user ever writes appeared first on Cyberscoop.

Continue reading Bug in Grammarly browser extension exposes virtually everything a user ever writes

Meltdown and Spectre fallout: patching problems persist

Posted on by

In the days since Meltdown and Spectre have been made public, we’ve tracked which elements of the design flaw, known as speculative execution, are vulnerable and how different vendors are handling the patching process.
Categories:

Exploits… Continue reading Meltdown and Spectre fallout: patching problems persist

Vendors Share Patch Updates on Spectre and Meltdown Mitigation Efforts

Posted on by

Intel, Amazon, ARM, Microsoft and others have shared patch updates to keep customers informed on their mitigation efforts to protect against the far reaching Spectre and Meltdown vulnerabilities impacting computers, servers and mobile devices worldwide.  Continue reading Vendors Share Patch Updates on Spectre and Meltdown Mitigation Efforts

Meltdown and Spectre CPU Flaws Affect Intel, ARM, AMD Processors

Posted on by

Unlike the initial reports suggested about Intel chips being vulnerable to some severe ‘memory leaking’ flaws, full technical details about the vulnerabilities have now been emerged, which revealed that almost every modern processor since 1995 is vulne… Continue reading Meltdown and Spectre CPU Flaws Affect Intel, ARM, AMD Processors

Meet ‘Meltdown’ and ‘Spectre,’ the chip flaws causing problems for nearly everyone

Posted on by

Critical bugs in all modern processor chips that allow attackers to potentially steal sensitive data were publicly revealed Wednesday after months of private security industry work and days of public speculation. Named “Meltdown” and “Spectre,” the vulnerabilities could allow attackers to find passwords or sensitive documents stored in memory. The exploits work on personal computers, mobile devices and on cloud infrastructure that relies on hardware dating back to 1995. For most people, the solution is to install security updates for their operating system quickly and regularly. It’s not clear if the exploits have been used in the wild, because neither leave any traces in log files. One of the researchers to independently discover these flaws was Google Project Zero’s Jann Horn. Horn “demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible,” Google’s security team explained in a blog post. “For example, an unauthorized party […]

The post Meet ‘Meltdown’ and ‘Spectre,’ the chip flaws causing problems for nearly everyone appeared first on Cyberscoop.

Continue reading Meet ‘Meltdown’ and ‘Spectre,’ the chip flaws causing problems for nearly everyone

Meet ‘Meltdown’ and ‘Spectre,’ the chip flaws causing problems for nearly everyone

Posted on by

Critical bugs in all modern processor chips that allow attackers to potentially steal sensitive data were publicly revealed Wednesday after months of private security industry work and days of public speculation. Named “Meltdown” and “Spectre,” the vulnerabilities could allow attackers to find passwords or sensitive documents stored in memory. The exploits work on personal computers, mobile devices and on cloud infrastructure that relies on hardware dating back to 1995. For most people, the solution is to install security updates for their operating system quickly and regularly. It’s not clear if the exploits have been used in the wild, because neither leave any traces in log files. One of the researchers to independently discover these flaws was Google Project Zero’s Jann Horn. Horn “demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible,” Google’s security team explained in a blog post. “For example, an unauthorized party […]

The post Meet ‘Meltdown’ and ‘Spectre,’ the chip flaws causing problems for nearly everyone appeared first on Cyberscoop.

Continue reading Meet ‘Meltdown’ and ‘Spectre,’ the chip flaws causing problems for nearly everyone

The Jailbreaking Community Is Bracing for Google to Publicly Drop an iPhone Exploit

Posted on by

A Google researcher announced that he is planning to release a powerful tool for iOS 11 that the security community thinks it can use to jailbreak the iPhone. Continue reading The Jailbreaking Community Is Bracing for Google to Publicly Drop an iPhone Exploit